- Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
- Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
- Powerline: Customize your PowerShell console - Tue, Aug 31 2021
As a working Windows systems administrator, you know that Group Policy in Active Directory Domain Services (AD DS) gives you a degree of centralized control over Microsoft's own web browsers, Edge and Internet Explorer.
However, nowadays in today's Bring Your Own Device (BYOD) and Corporate Owned, Personally Enabled (COPE) IT landscape, your users likely prefer non-Microsoft browsers such as Google Chrome or Mozilla Firefox.
How can you enforce your organizational security policies, given this cross-vendor web browser context? ManageEngine developed a point solution called Browser Security Plus that addresses just this use case. Let's take a look.
Browser Security Plus in a nutshell ^
Browser Security Plus (BSP) is a software-as-a-service (SaaS) application that consists of the following components:
- Server services (the server itself, a notification service, and an Apache web server service)
- A web-based management interface
- An .msi agent
Although the Browser Security Plus server includes open-source components, this solution is aimed at Windows-based servers and endpoints. Moreover, the supported browser list noticeably does not include Apple Safari:
- Microsoft Edge
- Microsoft Internet Explorer
- Google Chrome
- Mozilla Firefox
The BSP core feature set incorporates the following four value propositions:
- Detect: Gain visibility into which browsers your users use and which browser add-ons they have installed
- Enforce: Deploy security configurations to mitigate phishing and malware attacks
- Control: Regulate access to browser add-ons and browser-based apps
- Audit: Report on browser usage and policy compliance
Installation and configuration ^
Per the Browser Security Plus documentation, you install the server on a Windows Server or even a Windows Client device that meets reasonably low system requirements. As I said, all server management occurs via a central web application that listens on TCP port 9393 for HTTPS and TCP port 9030 for HTTP, by default.
The default login is a disappointing admin/admin combination; of course you will want to perform a number of post-installation tasks right away:
- Change the admin account password
- Install your own private or public SSL/TLS certificate to protect the management site
- Configure proxy and/or mail server IP addresses as appropriate
The following screenshot shows the BSP Admin global settings page:
After you configure the BSP server itself, it's time to deploy the agent to your Windows-based endpoints. Navigate to Agent > Active Directory and add your AD domain to the tool by specifying domain administrative credentials.
You now can add computers and deploy the agent directly from the Scope of Management page, shown in the next screenshot.
You will also want to navigate to Manage > Groups & Computers and assign computers with similar browser requirements into one or more groups.
Defining our first browser management policy ^
Oh boy—where to begin? There are so many management options to choose from in this tool. First, from the Manage page, check out:
- Sites Group: Create groups of website URLs you want to add to your policies as one unit
- Extension Repository: Pre-populate browser extensions either required for your users to have or make them available to them optionally
Now head over to the Policies page in the BSP web management portal. Here are the general policy categories:
- Threat Prevention: Allow or restrict file downloads, enable a phishing filter, or require strict digital certificate revocation checking
- Data Leakage Prevention: Apply digital rights management (DRM) policies, such as restricting the user's ability to screenshot the browser, print a webpage, and so forth
- Add-on Management: Control which browser extensions users can and cannot install (shown in the next screenshot)
- Web Isolation: Block data persistence between browsing sessions and restrict iFrame behavior
- Browser Lockdown: Convert the browser to kiosk mode when accessing certain URLs
- Browser Router: Manage inter-browser compatibility issues by redirecting traffic to particular browser(s)
- Java Manager: Control access to the Java Runtime Environment on users' computers
- Browser Customization: Configure content restrictions, URL access rules, and default home page; control browser startup behavior
The client experience ^
By default, the user is unable either to modify the BSP agent properties or install the agent. I show you this in the next screenshot.
From there, the product simply works. For example, in my lab environment I created a strict Add-on Management policy in which users cannot install their own Chrome extensions, and instead can only install extensions on my whitelist.
As you can see in the following screenshot, the product prevents the user from undertaking a restricted action.
Two criticisms I have of the BSP end-user experience are:
- I sometimes needed to reassociate a policy manually to a management group or to individual managed computers to get the policy to "take" on the endpoint
- The block messages are not particularly descriptive or user-friendly
Reporting on browser usage and security policy ^
BSP includes a number of dashboards and built-in reports on its Insights page to help you gain insight on your user base, their browsing habits, and their endpoint compliance. Some of the built-in reports include:
- Unsecure (unsigned) plug-ins
- Phishing filter compliance status
- Outdated plug-ins
- Potentially harmful extensions
- Computers with or without a specific extension
- Computers with or without a specific plug-in
I show you the Browsers dashboard in my lab environment next:
The web interface allows you to view your report data as a table, customize visible columns, and export your reports as PDF, CSV, or Excel documents.
The Compliance page lets you define the browser policy settings you need to track for compliance purposes and then report on your endpoints' current status.
ManageEngine requires you ask them for a quote to determine their specific license prices, but I can tell you they license Browser Security Plus in two models:
- Annual subscription: Fixed cost per year that includes product support
- Perpetual model: One-time license fee with annual maintenance costs
In summary, I think BSP does a decent job at managing a multi-browser environment in a way that does not require a lot of additional hardware or software. On the other hand, I tend to dislike so-called "point solutions" and instead prefer more all-encompassing central management products.
Subscribe to 4sysops newsletter!
If you do struggle with supporting multiple users with multiple browsers, and balance user convenience on one hand against regulatory/policy compliance on the other, you may want to take a closer look at ManageEngine Browser Security Plus.